IEC 61508: A comprehensive guide to functional safety with FAQ
IEC 61508 is an international standard developed by the International Electrotechnical Commission (IEC) to ensure the functional safety of systems that incorporate electrical, electronic, or programmable electronic (E/E/PE) devices. It provides a framework for designing, implementing, operating, and maintaining safety-related systems to reduce risks to a tolerable level. Have a look at our guide to IEC 61508 to navigate the standard with confidence. There’s a comprehensive FAQ section, too
In safety-critical industries, system failures can have catastrophic consequences. This can include injuries, loss of life, or environmental harm. IEC 61508 plays a crucial role in mitigating these risks by providing a structured framework for the design, implementation, and maintenance of safety-related systems to ensure their functional safety.
Functional safety allows systems to perform their intended safety functions reliably when required, reducing risks to an acceptable level. IEC 61508 serves as the foundation for numerous industry-specific standards, offering a consistent reference point for developing safety-related systems across various sectors.
Also, IEC 61508 carries significant legal implications, particularly in Europe, where it aligns with the General Product Safety Directive 2001/95/EC (GPSD). This directive mandates that manufacturers of safety-critical products adhere to ‘State-of-the-Art’ development principles.
In the context of electronic safety-related systems, ‘State-of-the-Art’ refers to widely accepted best practices, which are now encapsulated in IEC 61508:2010 and its derived industry-specific standards. Failure to comply with these established practices could leave companies unable to use the “State-of-the-Art” defense in legal disputes concerning product fitness for purpose.
What do E/E/PE and E/E/PES refer to?
The international standard IEC 61508:2010 is officially titled “Functional safety of electrical/electronic/programmable electronic safety-related systems.”
Due to its length, this title is often shortened to “Functional safety of E/E/PE safety-related systems” or even further to “Functional safety of E/E/PES.”
Goals of IEC 61508
The main goals of the standard include:
- Foster technological innovation: Support advancements in electrical, electronic, and programmable electronic (E/E/PE) systems within a robust safety framework.
- Provide a systematic and flexible approach: Offer a technically sound, system-based methodology which is adaptable to future developments.
- Adopt a risk-based methodology: Utilise a risk-based approach to define the required performance of safety-related systems, ensuring specified risks are managed effectively. These risks can be quantified or addressed in semi-quantitative terms.
- Support industry and sector standards: Serve as a generic standard applicable across industries while also assisting in the development of sector-specific standards (e.g., machinery, chemical processes) or product-specific standards (e.g., power drive systems).
- Build confidence in computer-based systems: Provide tools and guidelines for users and regulators to trust computer-based safety technologies.
- Streamline supply chains and communication: Establish common principles to:
- Enhance efficiency in supply chains for components such as sensors and controllers.
- Improve clarity in communication and specification requirements.
- Promote the development of techniques and measures applicable across all sectors.
- Enable conformity assessment: Facilitate the creation of conformity assessment services where needed, ensuring compliance with safety standards.
How many parts are there in IEC 61508? Which parts are concerned with software?
IEC 61508 is structured into seven key parts:
Part 1: General Requirements: Defines the overarching requirements for achieving functional safety, including the safety lifecycle, risk assessment methodologies, and safety management protocols.
Part 2: Requirements for E/E/PE Safety-related Systems: Focuses on specific requirements related to the hardware components of electrical, electronic, and programmable electronic (E/E/PE) safety-related systems.
Part 3: Software Requirements: Details the requirements for the software components used in safety-related systems, covering the complete software development lifecycle, from initial specification to final validation.
Part 4: Definitions and Abbreviations: Provides a comprehensive glossary of terms and abbreviations used throughout the IEC 61508 standard.
Part 5: Examples of Methods for Determining Safety Integrity Levels (SIL): Offers practical examples and various methods for determining the appropriate SIL for specific safety functions.
Part 6: Guidelines on the Application of Parts 2 and 3: Provides guidance on how to effectively implement the requirements outlined in Parts 2 (Hardware) and Part 3 (Software).
Part 7: Overview of Techniques and Measures: Presents a broad overview of the various techniques and measures that can be employed to achieve and maintain functional safety.
Parts 1 through 3 contain the standard’s core requirements and are therefore normative. Part 4 provides essential definitions. The remaining sections, Parts 5 through 7, offer supportive guidelines and illustrative examples for development, making them informative in nature.
While all sections are relevant to some degree, software developers will primarily focus on IEC 61508-3:2010, titled “Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 3: Software requirements.” This part details the specific requirements for software used in safety-related systems. However, it’s crucial to remember that a comprehensive understanding of IEC 61508 necessitates familiarity with all seven parts of the standard.
Key concepts in functional safety
To effectively understand IEC 61508, it’s essential to grasp several foundational concepts and terms:
- Functional safety: This aspect of overall system safety relies on the system’s ability to operate correctly in response to inputs. It involves preventing dangerous failures and, if a failure occurs, ensuring the system responds in a manner that minimises risk.
- Safety integrity level (SIL): SIL measures the reliability and performance of a safety function. It’s quantified by the probability of failure on demand (PFD) or the frequency of dangerous failures per hour. There are four SILs, ranging from SIL 1 (the lowest level of safety integrity) to SIL 4 (the highest).
- Safety lifecycle: This structured process encompasses all stages of a safety-related system’s life, from initial concept to decommissioning. It guarantees that safety is considered and managed throughout the entire system’s lifespan.
What are IEC 61508 SILs (Safety Integrity Levels)?
For embedded software developers working with IEC 61508:2010, Part 3, “Software Requirements,” is of primary importance. However, the effort needed to fulfill each objective within this standard is directly related to the Safety Integrity Level (SIL) of the safety functions implemented by the system.
Determining the appropriate SIL is detailed in Part 5 of the standard, titled “Examples of methods for the determination of safety integrity levels.” This section outlines various quantitative methods for SIL derivation.
Annex A of the standard addresses the concept of “Necessary Risk Reduction.” The tolerable risk level is contingent on factors such as the severity of potential injuries, the number of individuals exposed to the hazard, and the frequency and duration of that exposure.
IEC 61508 defines Safety Integrity as “the probability of a safety-related system satisfactorily performing the required safety functions under all the stated conditions within a stated period of time.”
Therefore, the SIL assigned to each safety function depends on the probability of failure, which can be assessed using different approaches. A higher probability of failure necessitates a higher SIL (ranging from SIL1 to SIL4), resulting in more stringent and demanding software development practices to achieve an acceptable level of risk.
- SIL 1: Lowest level of safety integrity, with a higher probability of failure.
- SIL 2: Moderate level of safety integrity, with a lower probability of failure than SIL 1.
- SIL 3: High level of safety integrity, with a significantly lower probability of failure than SIL 2.
- SIL 4: Highest level of safety integrity, with the lowest probability of failure.
The safety lifecycle approach
The figure illustrates a simplified representation of the Overall Safety Lifecycle, which is one of three key safety lifecycles: the Overall Safety Lifecycle, the E/E/PE System Safety Lifecycle, and the Software Safety Lifecycle.
Each of these life cycles consists of multiple phases, with each phase outlining specific requirements that must be met. These requirements are closely tied to technical specifications, ensuring that safety considerations are systematically addressed throughout the development process.
What other standards are related to IEC 61508?
IEC 61508 serves as the foundation for numerous sector-specific functional safety standards. These adapted standards address the unique needs of various industries and are often more appropriate for those contexts, for example, ISO 26262, designed for functional safety in motor vehicles, or IEC 62304, tailored for medical device software.
Below you can see how IEC 61508 relate to other standards:
- IEC 61508 & IEC 61511: IEC 61511, “Functional safety – Safety instrumented systems for the process industry sector,” exemplifies an industry-specific standard derived from IEC 61508. While their lifecycle processes are conceptually similar, IEC 61511 utilises terminology and examples directly relevant to the process industries. The software development processes promoted by both standards are essentially identical, with IEC 61511 referencing IEC 61508 for software-specific guidance.
- IEC 61508 & ISO 26262: ISO 26262, focused on the automotive sector, is also derived from IEC 61508. ISO 26262 can be more prescriptive in certain areas; for instance, it defines a specific Hazard and Risk Analysis (HARA) technique. Variations between the standards reflect the specific conditions of the automotive industry, such as higher production volumes, which make approaches like “proven in use” more applicable. It also uses “ASILs” (Automotive Safety Integrity Levels), which are qualitative measurements of risk derived differently from the SILs in IEC 61508.
- IEC 61508, ISO 13849, & IEC 62061: ISO 13849 (“Safety of machinery — Safety-related parts of control systems”) and EN IEC 62061 (“Safety of machinery, functional safety of safety-related electrical, electronic and programmable electronic control systems”) are harmonised to the EU’s Machinery Directive. While a proposed standard (IEC/ISO 17305) to merge them was cancelled, ISO 13849-1 suggests that Safety-Related Parts of Control Systems (SRP/CS) designed to an appropriate level in ISO 13849, IEC 62061, or IEC 61508 can be combined.
Industry specific variants
Safety-critical systems across various industries rely on specialised standards derived from the foundational IEC 61508 framework to ensure functional safety.
Automotive
ISO 26262, an adaptation of IEC 61508, is the primary standard for functional safety in automotive electric and electronic systems. It has been widely adopted by major car manufacturers.
Prior to ISO 26262, the Motor Industry Software Reliability Association (MISRA) guidelines were the main reference for developing safety-related automotive software. MISRA, established to guide the creation of embedded software for road vehicle electronic systems, published its first set of guidelines in 1994. This document was the automotive industry’s initial interpretation of IEC 61508 principles.
Today, MISRA is best known for its C and C++ programming guidelines, which have become the de facto standard for embedded programming in safety-critical industries and are also used to enhance software quality in non-safety applications.
Rail
IEC 62279 provides a specialised interpretation of IEC 61508 for railway applications, focusing on software development for control and protection systems, including communication and signaling. Its equivalent CENELEC standards are EN 50128 and EN 50657.
Process industries
IEC 61511 addresses safety practices in the process industry, covering sectors such as refineries, petrochemical plants, pharmaceuticals, pulp and paper production, and power generation. It provides guidance on engineering systems that ensure process safety through instrumentation.
Power plants
IEC 61513 specifies requirements for instrumentation and control systems critical to the safety of nuclear power plants. It encompasses both conventional hardwired and computer-based equipment or their combinations. ISO also provides an overview of nuclear power plant-specific safety norms.
Machinery
IEC 62061 is the machinery-specific implementation of IEC 61508. It outlines requirements for designing safety-related electrical control systems at the system level and for non-complex subsystems or devices.
Challenges and considerations
Complexity of the safety lifecycle
IEC 61508 defines a comprehensive safety lifecycle with 16 phases, covering analysis, realisation, and operation. Managing activities across all these phases requires significant resources and coordination.
Ensuring consistency and traceability throughout the lifecycle is complex, especially for large systems with multiple interdependencies.
Determining safety integrity levels (SILs)
Assigning appropriate SILs involves rigorous hazard and risk analysis, which can be subjective and lacks a universally prescribed method in the standard.
Higher SIL levels demand stricter requirements, making compliance more resource-intensive.
Addressing systematic and random failures
The standard requires measures to prevent systematic errors (e.g., design flaws) and mitigate random hardware failures. This dual focus increases the complexity of compliance efforts.
Implementing fault-tolerant designs and ensuring predictable failure modes are technically challenging.
Software-specific challenges
Software development under IEC 61508 must follow strict guidelines, including coding standards (e.g., MISRA) and rigorous testing procedures to eliminate errors.
Achieving bidirectional traceability between requirements, design, and testing is critical but difficult to implement without specialised tools.
Documentation requirements
The standard mandates extensive documentation for hazard analysis, risk assessment, design specifications, testing results, and maintenance plans. This documentation must be detailed enough to demonstrate compliance during audits.
Human factors
Human errors during design, implementation, or maintenance can undermine compliance efforts. Training personnel on functional safety principles is essential but resource intensive.
Environmental and external factors
External influences such as temperature fluctuations, electromagnetic interference, or power disturbances must be accounted for in system design and testing.
Certification costs and efforts
While certification is not always mandatory, achieving it adds credibility but requires significant investment in time, tools, and expertise to meet the standard’s stringent requirements.
Implementing IEC 61508
With extensive expertise in implementing IEC 61508 and related standards, our team has worked with a diverse range of enterprises, gaining invaluable insights into best practices and common pitfalls.
Our deep understanding of these standards ensures we can guide you through the implementation process efficiently, avoiding costly mistakes and overcoming all challenges.
Schedule a free consultation with our experts today and let us help you integrate IEC 61508 standards to boost the safety and reliability of your systems.
To ensure safety, all significant hazards related to equipment and its control systems must be identified through a thorough hazard analysis, conducted by either the specifier or developer. This analysis determines whether functional safety measures are needed to provide adequate protection. If required, these measures must be integrated into the design in a structured and effective way. While functional safety plays a key role in risk mitigation, it is just one part of a broader safety approach—eliminating or reducing hazards through inherent safety in design remains the top priority.
The IEC 61508 standard outlines best practices for achieving functional safety within applicable systems, providing a clear framework for designing reliable and secure solutions.
IEC 61508 sets the framework for safety-related systems that rely on electrical, electronic, or programmable electronic (E/E/PE) components. It focuses on managing risks associated with the failure of safety functions these systems perform, rather than hazards linked to the hardware itself (e.g., electric shock). As a universally applicable standard, IEC 61508 can be used across industries, ensuring consistent safety measures regardless of the specific application.
Beyond preventing safety risks, the standard also addresses failures that could result in significant economic consequences. In such cases, IEC 61508 provides guidelines for implementing E/E/PE safety-related systems to protect both equipment and products. More detailed information on its scope is outlined in IEC 61508-1.
The standard applies to a wide range of safety-critical systems, including:
Emergency shut-down systems – Automatically stopping operations in case of detected hazards.
Fire and gas systems – Detecting and responding to fire or gas leaks.
Turbine control – Ensuring safe operation and shutdown of turbines.
Gas burner management – Preventing malfunctions and unsafe ignition conditions.
Crane safety indicators – Monitoring and preventing overload situations.
Machine safety systems – Including guard interlocking and emergency stop functions.
Medical devices – Ensuring safe and reliable operation of life-critical equipment.
Dynamic positioning systems – Controlling ship movement near offshore installations.
Railway signaling – Enhancing train safety through precise signaling systems.
Variable speed motor drives – Limiting speed to prevent hazardous conditions.
Remote process monitoring and control – Enabling safe operation and intervention in networked industrial systems.
Decision-support tools – Where incorrect outputs could impact safety.
Safety functions in these applications are implemented using a variety of technologies, including electro-mechanical relays, non-programmable solid-state electronics, and programmable devices such as microprocessors and programmable logic controllers (PLCs).
Regardless of the technology, IEC 61508 applies to the entire safety-related system—from sensors to control logic, communication networks, and final actuators. The effectiveness of safety functions depends on viewing and designing the system, ensuring that every component works together to meet rigorous safety requirements.
IEC 61508 applies to any safety-related system that incorporates electrical, electronic, or programmable electronic (E/E/PE) devices. This broad applicability is intentional, as many of the standard’s requirements—particularly those outlined in IEC 61508-1—are technology-agnostic. In fact, the early stages of development, including concept definition, hazard and risk analysis, and overall safety requirement specification, often take place before the final implementation technology is even selected.
Even in later phases, such as system realisation, functional safety requirements extend beyond E/E/PE devices to include non-electronic components like mechanical systems. For instance, the hardware reliability and fault tolerance requirements specified in IEC 61508-2 apply to all components within a safety-related system, regardless of whether they rely on E/E/PE technology.
For low-complexity E/E/PE safety-related systems, full compliance with IEC 61508 is achievable without necessarily meeting every individual requirement, allowing for a flexible yet rigorous approach to ensuring system safety.
IEC 61508 focuses on achieving functional safety, which is defined as the absence of unacceptable risk of physical injury or harm to human health. This includes both direct impacts and indirect consequences resulting from damage to property or the environment (as outlined in IEC 61508-4, section 3.1). By explicitly addressing long-term health risks, including those arising from environmental or property damage, the standard ensures a comprehensive approach to safety.
Beyond physical safety, IEC 61508 also acknowledges the economic consequences of system failures. In cases where failure could result in significant financial losses, the standard can be applied to specify safety-related E/E/PE systems designed to protect equipment and products (IEC 61508-1, section 1.2f).
The necessary safety functions and their required performance levels are determined through hazard and risk analysis (as detailed in IEC 61508-5). A similar methodology can be applied to assess environmental or financial risks by substituting safety parameters with equivalent environmental or financial criteria. The core requirements of the standard remain relevant in these contexts, including the performance levels, which are quantified based on the probability or frequency of dangerous failures (refer to IEC 61508-1, Tables 2 & 3).
IEC 61508-1:2010
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 1: General requirements
IEC 61508-2:2010
SC 65A
Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 2: Requirements for electrical/electronic/programmable electronic safety-related systems
IEC 61508-3:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 3: Software requirements
IEC 61508-4:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 4: Definitions and abbreviations
IEC 61508-5:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety related systems – Part 5: Examples of methods for the determination of safety integrity levels
IEC 61508-6:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 6: Guidelines on the application of IEC 61508-2 and IEC 61508-3
IEC 61508-7:2010
SC65A
Functional safety of electrical/electronic/programmable electronic safety-related systems – Part 7: Overview of techniques and measures
IEC 61508 is a paid publication and can be purchased online through the IEC or from the national standards body in your country.
However, a preview of the standard, including the table of contents, foreword, introduction, scope, and normative references, is available for free download on the IEC Webstore.
Annex A of IEC 61508-5 introduces risk and safety integrity. In IEC 61508-1, clause 7 outlines the overall safety lifecycle requirements, which are visually represented in a lifecycle diagram (Figure 2) and summarised in Table 1. Additionally, key aspects such as verification, functional safety management, and functional safety assessment are detailed in clauses 7.18, 6, and 8, respectively.
For a broader overview, Annex A of IEC 61508-6 offers an eight-page summary of the requirements in IEC 61508-2 and IEC 61508-3.
IEC 61508-2 presents the E/E/PE system safety lifecycle requirements in clause 7, with a corresponding lifecycle diagram in Figure 2 and a phase-by-phase summary in Table 1. Similarly, IEC 61508-3 outlines the software safety lifecycle requirements in clause 7, illustrated in Figure 3 and summarised in Table 1.
Each requirement within IEC 61508 should be interpreted in the context of its relevant lifecycle phase, considering the objectives set for that phase, clause, or subclause. These objectives are always stated before the corresponding requirements.
The adoption of IEC International Standards by any country, regardless of IEC membership, is entirely voluntary. However, IEC National Committees strive to incorporate these standards as transparently and extensively as possible into national and regional regulations. Any deviations from an IEC International Standard in a corresponding national or regional standard must be explicitly stated.
The standard provides a general framework for all safety lifecycle activities related to E/E/PE safety systems used to perform safety functions. This unified approach ensures the development of a rational and consistent technical policy for all E/E/PE safety systems, regardless of the application sector. One of the primary goals is to support the creation of international product and application sector standards based on the IEC 61508 series. As a result, the first four parts of the standard serve as foundational safety publications.
Parts 1, 2, 3, and 4 of IEC 61508 are recognised as IEC basic safety publications. This designation means that IEC Technical Committees must reference these parts when preparing their own international standards for products or application sectors that involve E/E/PE safety-related systems. As a result, IEC 61508 will have broad implications across all IEC application sectors.
Note 1: The basic safety publication status does not apply to low complexity E/E/PE safety-related systems or when the required safety integrity of the E/E/PE system is below the lowest safety integrity level specified in IEC 61508.
Note 2: The basic safety publication status of this international standard does not apply to medical equipment in compliance with the IEC 60601 series.
IEC 61513 ed1.0 (2001-03)
SC 45A
Nuclear power plants – Instrumentation and control for systems important to safety – General requirements for systems
IEC 61511-1 ed1.0 (2003-01)
SC 65A
Functional safety – Safety instrumented systems for the process industry sector – Part 1: Framework, definitions, system, hardware and software requirements
IEC 61511-2 ed1.0 (2003-07)
SC 65A
Functional safety – Safety instrumented systems for the process industry sector – Part 2: Guidelines for the application of IEC 61511-1
IEC 61511-3 ed1.0 (2003-03)
SC 65A
Functional safety – Safety instrumented systems for the process industry sector – Part 3: Guidance for the determination of the required safety integrity levels
IEC 62061 ed1.0 (2005-01)
TC 44
Safety of machinery – Functional safety of safety-related electrical, electronic and programmable electronic control systems
IEC 61800-5-2 ed.10 (2007-07)
SC 22G
Adjustable speed electrical power drive systems – Part 5-2: Safety requirements – Functional.
Other standards may also be in development.
Alongside the creation of product and application sector international standards based on IEC 61508, numerous standards reference IEC 61508.
Due to the differing technical criteria in IEC 61508 and EN 954-1:1996 (which was also published as ISO 13849-1:1999 and later superseded by ISO 13849-1:2006), these two standards do not provide a sufficient technical basis to directly link safety performance measures based on the category requirements in EN 954-1:1996 with the safety integrity levels (SIL) requirements in IEC 61508.
However, from a practical perspective, an E/E/PE safety-related system that supports SIL1 safety functions (according to IEC 61508) generally meets the requirements for category 1 or category 2 systems (according to EN 954-1:1996). Similarly, SIL2 corresponds to category 3, and SIL3 corresponds to category 4.
It is crucial to note that there is no reverse correlation. For example, a category 3 E/E/PE safety-related system cannot be said to support SIL2 safety functions, as many of the IEC 61508 requirements have no equivalent in EN 954-1:1996.
For further details, refer to IEC 62061.
Yes. A key objective of the standard is to facilitate the development of E/E/PE safety-related systems in sectors where product or application sector international standards are not yet available.
Many of the requirements in IEC 61508, especially those in IEC 61508-2 and IEC 61508-3, are not restated in product or application sector standards but are instead referenced. As a result, most users of product or application sector international standards will also need to consult IEC 61508.
For further information, please contact your national committee.
The term “shall” used in a requirement indicates that the requirement must be strictly followed if compliance with the standard is to be claimed.
When “should” or “it is recommended that” is used, it suggests that, among various options, one is particularly suitable, without excluding others, or that a certain course of action is preferred but not obligatory.
Normative elements outline the provisions that must be followed to claim compliance with the standard. These elements typically include both “shall” and “should” statements.
In IEC 61508, the normative elements are found in: Part 1 (excluding the annex), Part 2 (including annexes A, B, C, D, and E but excluding F), Part 3 (including annexes A and D but excluding annexes B, C, E, F, and G), and Part 4. Parts 5, 6, and 7 contain no normative requirements.
Informative elements provide supplementary information to assist in understanding or using the standard but are not mandatory for compliance. Informative elements cannot contain “shall.” Notes and footnotes are always considered informative.
In IEC 61508, the following are informative: Annex A of Part 1, Annex F of Part 2, Annexes B, C, E, F, and G of Part 3, and all annexes in Parts 5, 6, and 7.
For the overall structure of the IEC 61508 series, refer to IEC 61508-1, Figure 1 (page 10 of the preview).
If the standard is applied to low complexity E/E/PE safety-related systems, and there is reliable field experience that provides sufficient confidence that the required safety integrity can be achieved, some of the requirements in the standard may be unnecessary. In such cases, exemption from compliance with these requirements is acceptable, provided it is justified (refer to section 4.2 of IEC 61508-1).
The standard does not specify which requirements this exemption applies to, leaving it to the user to determine and justify. However, it is important to note that the conditions under which this relaxation is permitted are very restrictive.
IEC 61508 divides the specification of safety functions into two components:
Safety function requirements (what the function does)
Safety integrity requirements (the likelihood of the function being performed satisfactorily)
The standard does not specify the exact safety function or safety integrity requirements needed for any particular application.
The safety integrity level (SIL 1, 2, 3, or 4) corresponds to a range of safety integrity values, which are measured for a specific safety function in terms of:
The average probability of a dangerous failure on demand (for low demand mode of operation); or
The average frequency of a dangerous failure per hour (for high demand or continuous mode of operation).
Note: For more information on the mode of operation, see IEC 61508-4, subclause 3.5.16.
The safety integrity level allocated to a specified safety function within the E/E/PE safety-related system will determine the level of rigor required for compliance with the standard. Other factors will also influence this (see section 4.1 of IEC 61508-1).
Some parts of the standard explicitly indicate the relationship between requirements and safety integrity level, such as:
Table 5 of IEC 61508-1
Sections 7.4.2 and annexes A and B of IEC 61508-2
Annexes A and B of IEC 61508-3
Although all four normative annexes provide recommendations for specific techniques and measures, they differ in what is required for compliance.
In subclause A.2 of IEC 61508-2, Table A.1 outlines the requirements for detecting faults or failures through techniques and measures to control hardware failures. Tables A.2 to A.15 in the same subclause support Table A.1 by recommending techniques and measures for diagnostic tests and specifying the maximum levels of diagnostic coverage that can be achieved. To comply with the standard, the requirements of Table A.1 must be fulfilled. However, Tables A.2 to A.15 offer just one set of possible ways to meet these requirements.
Subclause A.3 of IEC 61508-2, including Tables A.16 to A.18, recommends specific techniques and measures, but their use is not mandatory for compliance. If a highly recommended technique or measure for the safety integrity level is not used, the rationale for this decision must be documented. Additionally, any techniques or measures chosen from Tables A.16 to A.18 must be used to the extent necessary to achieve at least the level of effectiveness stated in the table. Table A.19 provides guidance on the meaning of “low” and “high” effectiveness for some of the techniques and measures.
Annex B of IEC 61508-2 provides recommendations similar to those in subclause A.3. When a technique or measure that is highly recommended for the safety integrity level is not used, or when a technique that is explicitly not recommended is used, the rationale must be detailed. It is also necessary to achieve the level of effectiveness stated in the table for any techniques or measures that are used. Table B.6 offers guidance on what constitutes low and high effectiveness for most techniques and measures.
In both Annexes A and B of IEC 61508-2, table shading offers guidance on selecting and combining techniques and measures.
It is important to note that Annex C of IEC 61508-2 is also normative and contains requirements that are necessary for compliance.
In Annexes A and B of IEC 61508-3, the standard requires that appropriate techniques and measures be selected based on the safety integrity level. While the annexes list specific techniques, other techniques may be used as long as they meet the relevant IEC 61508-3 requirements. Anyone claiming compliance with the standard must consider which techniques or measures are most appropriate for the specific challenges encountered during the development of each E/E/PE safety-related system. For guidance on justifying the selection of software techniques, refer to IEC 61508-3 Annex C (and supplementary information in IEC 61508-7 Annex F).
A key concern is the role of systematic factors in the failure of a safety function. These factors can arise in both hardware and software, and the effectiveness of measures used to meet the target failure measures for systematic safety integrity generally needs to be assessed qualitatively.
The tables in Annexes A and B of IEC 61508-3, which recommend software techniques, are not checklists for guaranteeing systematic safety integrity in software. Given the many factors that affect software systematic capability, it is not feasible to provide a one-size-fits-all approach for combining techniques and measures. This is why Annex C (and supplementary information in IEC 61508-7 Annex F) was developed, to:
Guide the selection of techniques from Annexes A and B to achieve software systematic capability.
Provide a rationale for justifying the use of techniques not explicitly listed in Annexes A and B.
When choosing software techniques, several key factors must be considered, including:
The developers’ competence and experience with the techniques.
Familiarity with the application and potential challenges.
The size or complexity of the application.
Industry sector recommendations and recognised good practice.
National and international published standards.
Annexes A and B recommend documenting the rationale for not following the guidance on highly recommended or not recommended techniques during safety planning, with the rationale being agreed upon with the assessor.
In both IEC 61508-2 and IEC 61508-3, the choice of techniques for each lifecycle phase must be documented (see clause 5 of IEC 61508-1). Additionally, some subclauses require justification for the selection of techniques and measures, even when all recommendations are followed. For example, see clauses 7.3.2.2 e) and 7.4.2.9 of IEC 61508-2, and 7.4.3.2 a) of IEC 61508-3.
Clause 6 of IEC 61508-1 outlines the requirements for organisations responsible for an E/E/PE safety-related system, or for one or more phases of the overall E/E/PE system or software safety lifecycle. Additionally, clause 5 of IEC 61508-1 specifies the documentation requirements. The key documentation requirement is that it must contain sufficient information for each completed phase of the E/E/PE system and software safety lifecycles to support effective performance in subsequent phases and verification activities (see clause 5 of IEC 61508-1).
Of relevance in this context is the “Safety Manual for Compliant Items” (see IEC 61508-2, Annex D). This manual serves to document all the necessary information for a compliant item, enabling its integration into a safety-related system or subsystem in compliance with the requirements of IEC 61508.
In summary, IEC 61508 establishes requirements to ensure that essential information is available to those responsible for achieving functional safety. Clause 5 of IEC 61508-1 sets out the general need for sufficient information, while the safety manual for compliant items specifies the information that must be provided for an item (e.g., a component) for which the supplier claims compliance with certain clauses of IEC 61508.
Table 1 of IEC 61508-1 specifies the information required for each phase of the overall safety lifecycle. Tables 1 of IEC 61508-2 and IEC 61508-3 provide equivalent information for the E/E/PE system safety and software safety lifecycles, respectively.
For example, part of the entry from Table 1 of IEC 61508-1 for the “Realisation” phase of E/E/PE safety-related systems is shown below. It demonstrates that a system supplier responsible for the realisation phase needs documentation containing the specification of the E/E/PES safety requirements. This specification outlines all the safety functions allocated to the E/E/PE safety-related system(s) along with the corresponding safety integrity requirements for each function.
No, a safety integrity level (SIL) is not directly assigned to individual subsystems, elements, or components. Instead, it applies to the safety function performed by the E/E/PE safety-related system.
IEC 61508 addresses all components of the E/E/PE safety-related system, including field equipment and specific project application logic. These subsystems, elements, and components, when combined to implement the safety function(s), must meet the safety integrity level (SIL) target of the relevant safety functions. Any design using subsystems and components that are claimed to be suitable for the required SIL target must be assessed to verify their suitability. Suppliers of products intended for use in E/E/PE safety-related systems must provide sufficient information to support a demonstration of compliance with IEC 61508. Additionally, they must comply with Annex D of IEC 61508-2, which outlines the requirements for the “Safety Manual for Compliant Items.”
As a supplier of items (such as components or elements) for which you are claiming compliance with specific clauses of IEC 61508, you are required to comply with IEC 61508-2, Annex D, “Safety Manual for Compliant Items.” The purpose of the safety manual is to document all the information needed to enable the integration of the compliant item into a safety-related system, subsystem, or element, in accordance with IEC 61508 requirements.
The following subclauses are particularly relevant in this context:
IEC 61508-2/7.4.9.6: Suppliers must provide a safety manual for each compliant item they supply and claim compliance with, according to Annex D of IEC 61508-2.
IEC 61508-2/7.4.9.7: The supplier must document a justification for all information provided in each safety manual for compliant items.
Note 1: It is crucial that the claimed safety performance of an element is supported by sufficient evidence. Unsupported claims do not contribute to establishing the correctness and integrity of the safety function that the element supports.
Note 2: There may be commercial or legal restrictions on the availability of evidence. These restrictions fall outside the scope of this standard. If such restrictions prevent the functional safety assessment from accessing the necessary evidence, the element cannot be considered suitable for use in E/E/PE safety-related systems.
No, the standard mandates that a functional safety assessment be conducted on all parts of the E/E/PE safety-related system throughout all phases of the lifecycle (see clause 8 of IEC 61508-1).
The required level of independence for the assessor varies depending on the safety integrity level (SIL). For SIL 1, the assessor may be an independent person within the same organisation, while for SIL 4, the assessor must be from an independent organisation. For SIL 2 and SIL 3, the level of independence is influenced by factors such as system complexity, design novelty, and the developers’ previous experience. Additionally, it is a specific requirement that the assessor be competent in the activities they are undertaking.
The required level of independence should be distinguished from the concept of third-party certification, which is not a requirement of IEC 61508. In some cases, companies may need to fulfill the requirement for independent persons or departments by engaging an external organisation. However, this does not mean that the external organisation must be a certification body. The external organisation should have the necessary competence and the appropriate level of independence to perform the task, but it may or may not be a certification body.
On the other hand, companies with internal organisations skilled in risk assessment and the application of safety-related systems, which are independent from and separate (in terms of management and resources) from those responsible for the main development, may be able to use their own resources to meet the requirements for an independent organisation (see note 2 of 8.2.12 of IEC 61508-1).
For definitions of independent person, independent department, and independent organisation, refer to sections 3.8.10, 3.8.11, and 3.8.12 of IEC 61508-4.
IEC 61508 mandates the consideration of human factors in identifying hazards and hazardous events (7.4.2.3 of IEC 61508-1) as well as in the design of the E/E/PE safety-related system (7.4.5.3 of IEC 61508-2). For E/E/PE safety-related protection systems, three key areas must be addressed:
Human actions or errors that could place a demand on the E/E/PE safety-related protection system – these need to be identified and quantified.
Human failure to respond effectively to alarms or take actions that would otherwise reduce the demand on the E/E/PE safety-related protection system.
Human failure in testing and maintaining the E/E/PE safety-related protection system, which can reduce its effectiveness and increase the likelihood of failure on demand.
Clause 7.5.2.4 of IEC 61508-1 outlines the requirements for a control system to not be designated as a safety-related system. In summary, these requirements include:
Allowing a dangerous failure rate for the control system higher than the maximum defined by the standard for a safety-related system (i.e., higher than 10^-5 dangerous failures per hour).
Providing adequate evidence that the allowed dangerous failure rate is achieved (further details are provided in 7.5.2.4 of IEC 61508-1).
Identifying all reasonably foreseeable dangerous failure modes of the control system.
It is important to note that the dangerous failure rate mentioned in these requirements refers to a specific dangerous failure mode of a function performed by the control system, which could, in this context, place a demand on a safety-related system.
About the author
Tomasz Ziętek
Senior Content Writer
